The NGINX Cache Optimizer plugin for WordPress fails to enforce a capability check on the ‘nginxcacheoptimizer-blacklist-update’ AJAX action. As a result, any authenticated user with Subscriber level access or higher can send a crafted request to add or alter URLs in the Exclude URLs From Dynamic Caching setting. This unauthorized modification allows an attacker to manipulate the caching behaviour of a WordPress site, potentially causing legitimate pages to be cached or excluded inappropriately, which may lead to degraded performance, incorrect content delivery, or inadvertent exposure of sensitive information to cache. The associated weakness is a missing authorization check (CWE‑862).

The vulnerability applies to installations of the getclouder NGINX Cache Optimizer WordPress plugin with versions up to and including 1.1. Any WordPress site that has this plugin installed and does not have a later patched version is affected.

The CVSS score of 4.3 indicates a moderate severity. The EPSS score of less than 1% shows that the likelihood of exploitation in the wild is low, and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires an authenticated attacker who can log into the WordPress site with Subscriber or higher privileges. Once authenticated, the attacker simply triggers the AJAX endpoint to modify the exclusion list. Because no elevated privileges or remote code execution is needed, the risk is primarily confined to the site's caching configuration rather than to full system compromise.